More and more organisations are being asked by their customers to provide a SOC 2 report. But how do you request such a report and what is involved? In this article we take you through the entire process.
It starts with the choice of your auditor. A SOC 2 report must be prepared by an independent, qualified auditor. In the Netherlands these are typically RE certified IT auditors. Choose an auditor who has experience with your type of organisation and technology stack.
After selecting the auditor comes scope definition. Which Trust Services Criteria do you include? Security is always mandatory. In addition, you can add Availability, Processing Integrity, Confidentiality and Privacy. The choice depends on what your customers expect and which risks are relevant.
Next the readiness phase starts. The auditor takes stock of which controls you already have and what is still missing. This is the moment to close gaps before the formal audit period begins. Invest sufficient time here, because shortcomings that you resolve now do not have to appear in the report.
For a Type II report the observation period then starts. The minimum period is three months, but six to twelve months is more common and gives customers more confidence. During this period you must demonstrate that your controls work consistently and effectively. The auditor collects evidence, performs tests and documents findings.
After the observation period the auditor prepares the report. The report contains a description of your system, the controls that were tested, the test results and the auditor's opinion. In the case of findings, you get the opportunity to include a management response.
You can share the delivered SOC 2 report with customers and prospects. The report is usually confidential and is shared under an NDA. Many organisations make a SOC 2 bridge letter available for the period between two reports.
At Secure Audit we guide the entire process. From scope definition and readiness to the formal audit and report delivery. Get in touch to start the process.
About the author
Partner | IT Auditor